Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to access a property on the last element in an array,accessing last element in json array?

marcovdlinden
New Member
‎08-30-2019 03:23 AM

Hi I have json events that have an array with objects and i want to extract a property from it

Some pseudo search code

| spath output=LastResult  path=message.results{-1}
| table LastResult.timestamp

{-1} indexing does not seem to work in spath

| spath output=Results  path=message.results{}
| eval LastResult=mvindex(Results, -1)
| table LastResult.timestamp

Also does not work because LastResult has become a string version of the last array element so .timestamp does not work on that string.

my actual objects are a bit more complex and I want to get multiple properties so a regex on the string returned by mvindex is not really an option.

Is there a good way to do this?

,I got a json that with arrays in events.
I'd like to access a property of the last element in such array

| spath output=LastResult path=message.results{-1}
| table LastResult.timestamp

but {-1} does not seem to work for indexing the last element

| spath output=Results path=message.results{}
| eval LastResult= mvindex(Results, -1)
| table LastResult.timestamp

mvindex does accept -1 and it does get the last result from the array
But also does not work because LastResult becomes a string instead of an json object and thus .timestamp does not work

Is there a way to do this?

0 Karma
Reply

poete
Builder
‎08-30-2019 07:33 AM

Hello @marcovdlinden ,

check this. It should solve you problem.

| makeresults 
| eval _raw = "{\"message\":{\"results\":[1,2,3], \"otherFields\":0}"
| spath output=result message.results{}
| eval res = mvindex(result,mvcount(result)-1)
Reply

jawaharas
Motivator
‎08-30-2019 05:45 AM

Can you provide sample JSON?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...